rbnacl-libsodium 1.0.13 → 1.0.15

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c

@@ -140,7 +140,7 @@ generate_addresses(const argon2_instance_t *instance,
     }
 }
 
-int
+void
 fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position)
 {
     block    *ref_block = NULL, *curr_block = NULL;
@@ -153,7 +153,7 @@ fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position)
     int       data_independent_addressing = 1;
 
     if (instance == NULL) {
-        return ARGON2_OK;
+        return;
     }
 
     if (instance->type == Argon2_id &&
@@ -161,12 +161,7 @@ fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position)
         data_independent_addressing = 0;
     }
 
-    pseudo_rands =
-        (uint64_t *) malloc(sizeof(uint64_t) * (instance->segment_length));
-
-    if (pseudo_rands == NULL) {
-        return ARGON2_MEMORY_ALLOCATION_ERROR;
-    }
+    pseudo_rands = instance->pseudo_rands;
 
     if (data_independent_addressing) {
         generate_addresses(instance, &position, pseudo_rands);
@@ -235,8 +230,4 @@ fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position)
                        curr_block);
         }
     }
-
-    free(pseudo_rands);
-
-    return ARGON2_OK;
 }

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c

@@ -139,7 +139,7 @@ generate_addresses(const argon2_instance_t *instance,
     }
 }
 
-int
+void
 fill_segment_ssse3(const argon2_instance_t *instance,
                    argon2_position_t        position)
 {
@@ -147,14 +147,14 @@ fill_segment_ssse3(const argon2_instance_t *instance,
     uint64_t  pseudo_rand, ref_index, ref_lane;
     uint32_t  prev_offset, curr_offset;
     uint32_t  starting_index, i;
-    __m128i   state[64];
+    __m128i   state[ARGON2_OWORDS_IN_BLOCK];
     int       data_independent_addressing = 1;
 
     /* Pseudo-random values that determine the reference block position */
     uint64_t *pseudo_rands = NULL;
 
     if (instance == NULL) {
-        return ARGON2_OK;
+        return;
     }
 
     if (instance->type == Argon2_id &&
@@ -162,11 +162,7 @@ fill_segment_ssse3(const argon2_instance_t *instance,
         data_independent_addressing = 0;
     }
 
-    pseudo_rands =
-        (uint64_t *) malloc(sizeof(uint64_t) * instance->segment_length);
-    if (pseudo_rands == NULL) {
-        return ARGON2_MEMORY_ALLOCATION_ERROR;
-    }
+    pseudo_rands = instance->pseudo_rands;
 
     if (data_independent_addressing) {
         generate_addresses(instance, &position, pseudo_rands);
@@ -238,9 +234,5 @@ fill_segment_ssse3(const argon2_instance_t *instance,
                        (uint8_t *) curr_block->v);
         }
     }
-
-    free(pseudo_rands);
-
-    return ARGON2_OK;
 }
 #endif

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c

@@ -70,11 +70,7 @@ argon2_ctx(argon2_context *context, argon2_type type)
     }
 
     /* 4. Filling memory */
-    result = fill_memory_blocks(&instance);
-
-    if (ARGON2_OK != result) {
-        return result;
-    }
+    fill_memory_blocks(&instance);
 
     /* 5. Finalization */
     finalize(context, &instance);

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h

@@ -47,7 +47,7 @@
     ARGON2_MIN(UINT32_C(0xFFFFFFFF), UINT64_C(1) << ARGON2_MAX_MEMORY_BITS)
 
 /* Minimum and maximum number of passes */
-#define ARGON2_MIN_TIME UINT32_C(3)
+#define ARGON2_MIN_TIME UINT32_C(1)
 #define ARGON2_MAX_TIME UINT32_C(0xFFFFFFFF)
 
 /* Minimum and maximum password length in bytes */

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-avx512f.h

@@ -0,0 +1,145 @@
+#ifndef blamka_round_avx512f_H
+#define blamka_round_avx512f_H
+
+#include "private/common.h"
+#include "private/sse2_64_32.h"
+
+#define ror64(x, n) _mm512_ror_epi64((x), (n))
+
+static inline __m512i
+muladd(__m512i x, __m512i y)
+{
+    __m512i z = _mm512_mul_epu32(x, y);
+
+    return _mm512_add_epi64(_mm512_add_epi64(x, y), _mm512_add_epi64(z, z));
+}
+
+#define G1_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1) \
+    do { \
+        A0 = muladd(A0, B0); \
+        A1 = muladd(A1, B1); \
+        \
+        D0 = _mm512_xor_si512(D0, A0); \
+        D1 = _mm512_xor_si512(D1, A1); \
+        \
+        D0 = ror64(D0, 32); \
+        D1 = ror64(D1, 32); \
+        \
+        C0 = muladd(C0, D0); \
+        C1 = muladd(C1, D1); \
+        \
+        B0 = _mm512_xor_si512(B0, C0); \
+        B1 = _mm512_xor_si512(B1, C1); \
+        \
+        B0 = ror64(B0, 24); \
+        B1 = ror64(B1, 24); \
+    } while ((void)0, 0)
+
+#define G2_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1) \
+    do { \
+        A0 = muladd(A0, B0); \
+        A1 = muladd(A1, B1); \
+        \
+        D0 = _mm512_xor_si512(D0, A0); \
+        D1 = _mm512_xor_si512(D1, A1); \
+        \
+        D0 = ror64(D0, 16); \
+        D1 = ror64(D1, 16); \
+        \
+        C0 = muladd(C0, D0); \
+        C1 = muladd(C1, D1); \
+        \
+        B0 = _mm512_xor_si512(B0, C0); \
+        B1 = _mm512_xor_si512(B1, C1); \
+        \
+        B0 = ror64(B0, 63); \
+        B1 = ror64(B1, 63); \
+    } while ((void)0, 0)
+
+#define DIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1) \
+    do { \
+        B0 = _mm512_permutex_epi64(B0, _MM_SHUFFLE(0, 3, 2, 1)); \
+        B1 = _mm512_permutex_epi64(B1, _MM_SHUFFLE(0, 3, 2, 1)); \
+        \
+        C0 = _mm512_permutex_epi64(C0, _MM_SHUFFLE(1, 0, 3, 2)); \
+        C1 = _mm512_permutex_epi64(C1, _MM_SHUFFLE(1, 0, 3, 2)); \
+        \
+        D0 = _mm512_permutex_epi64(D0, _MM_SHUFFLE(2, 1, 0, 3)); \
+        D1 = _mm512_permutex_epi64(D1, _MM_SHUFFLE(2, 1, 0, 3)); \
+    } while ((void)0, 0)
+
+#define UNDIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1) \
+    do { \
+        B0 = _mm512_permutex_epi64(B0, _MM_SHUFFLE(2, 1, 0, 3)); \
+        B1 = _mm512_permutex_epi64(B1, _MM_SHUFFLE(2, 1, 0, 3)); \
+        \
+        C0 = _mm512_permutex_epi64(C0, _MM_SHUFFLE(1, 0, 3, 2)); \
+        C1 = _mm512_permutex_epi64(C1, _MM_SHUFFLE(1, 0, 3, 2)); \
+        \
+        D0 = _mm512_permutex_epi64(D0, _MM_SHUFFLE(0, 3, 2, 1)); \
+        D1 = _mm512_permutex_epi64(D1, _MM_SHUFFLE(0, 3, 2, 1)); \
+    } while ((void)0, 0)
+
+#define BLAKE2_ROUND(A0, B0, C0, D0, A1, B1, C1, D1) \
+    do { \
+        G1_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \
+        G2_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \
+        \
+        DIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1); \
+        \
+        G1_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \
+        G2_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \
+        \
+        UNDIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1); \
+    } while ((void)0, 0)
+
+#define SWAP_HALVES(A0, A1) \
+    do { \
+        __m512i t0, t1; \
+        t0 = _mm512_shuffle_i64x2(A0, A1, _MM_SHUFFLE(1, 0, 1, 0)); \
+        t1 = _mm512_shuffle_i64x2(A0, A1, _MM_SHUFFLE(3, 2, 3, 2)); \
+        A0 = t0; \
+        A1 = t1; \
+    } while((void)0, 0)
+
+#define SWAP_QUARTERS(A0, A1) \
+    do { \
+        SWAP_HALVES(A0, A1); \
+        A0 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A0); \
+        A1 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A1); \
+    } while((void)0, 0)
+
+#define UNSWAP_QUARTERS(A0, A1) \
+    do { \
+        A0 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A0); \
+        A1 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A1); \
+        SWAP_HALVES(A0, A1); \
+    } while((void)0, 0)
+
+#define BLAKE2_ROUND_1(A0, C0, B0, D0, A1, C1, B1, D1) \
+    do { \
+        SWAP_HALVES(A0, B0); \
+        SWAP_HALVES(C0, D0); \
+        SWAP_HALVES(A1, B1); \
+        SWAP_HALVES(C1, D1); \
+        BLAKE2_ROUND(A0, B0, C0, D0, A1, B1, C1, D1); \
+        SWAP_HALVES(A0, B0); \
+        SWAP_HALVES(C0, D0); \
+        SWAP_HALVES(A1, B1); \
+        SWAP_HALVES(C1, D1); \
+    } while ((void)0, 0)
+
+#define BLAKE2_ROUND_2(A0, A1, B0, B1, C0, C1, D0, D1) \
+    do { \
+        SWAP_QUARTERS(A0, A1); \
+        SWAP_QUARTERS(B0, B1); \
+        SWAP_QUARTERS(C0, C1); \
+        SWAP_QUARTERS(D0, D1); \
+        BLAKE2_ROUND(A0, B0, C0, D0, A1, B1, C1, D1); \
+        UNSWAP_QUARTERS(A0, A1); \
+        UNSWAP_QUARTERS(B0, B1); \
+        UNSWAP_QUARTERS(C0, C1); \
+        UNSWAP_QUARTERS(D0, D1); \
+    } while ((void)0, 0)
+
+#endif

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c

@@ -3,11 +3,16 @@
 #include <limits.h>
 #include <stddef.h>
 #include <stdint.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include "argon2-core.h"
+#include "argon2-encoding.h"
 #include "argon2.h"
+#include "crypto_pwhash.h"
 #include "crypto_pwhash_argon2i.h"
+#include "crypto_pwhash_argon2id.h"
+#include "private/common.h"
 #include "randombytes.h"
 #include "utils.h"
 
@@ -22,30 +27,36 @@ crypto_pwhash_argon2i_alg_argon2i13(void)
 size_t
 crypto_pwhash_argon2i_bytes_min(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_BYTES_MIN >= ARGON2_MIN_OUTLEN);
     return crypto_pwhash_argon2i_BYTES_MIN;
 }
 
 size_t
 crypto_pwhash_argon2i_bytes_max(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_BYTES_MAX <= ARGON2_MAX_OUTLEN);
     return crypto_pwhash_argon2i_BYTES_MAX;
 }
 
 size_t
 crypto_pwhash_argon2i_passwd_min(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_PASSWD_MIN >= ARGON2_MIN_PWD_LENGTH);
     return crypto_pwhash_argon2i_PASSWD_MIN;
 }
 
 size_t
 crypto_pwhash_argon2i_passwd_max(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_PASSWD_MAX <= ARGON2_MAX_PWD_LENGTH);
     return crypto_pwhash_argon2i_PASSWD_MAX;
 }
 
 size_t
 crypto_pwhash_argon2i_saltbytes(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_SALTBYTES >= ARGON2_MIN_SALT_LENGTH);
+    COMPILER_ASSERT(crypto_pwhash_argon2i_SALTBYTES <= ARGON2_MAX_SALT_LENGTH);
     return crypto_pwhash_argon2i_SALTBYTES;
 }
 
@@ -64,24 +75,28 @@ crypto_pwhash_argon2i_strprefix(void)
 size_t
 crypto_pwhash_argon2i_opslimit_min(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_OPSLIMIT_MIN >= ARGON2_MIN_TIME);
     return crypto_pwhash_argon2i_OPSLIMIT_MIN;
 }
 
 size_t
 crypto_pwhash_argon2i_opslimit_max(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2i_OPSLIMIT_MAX <= ARGON2_MAX_TIME);
     return crypto_pwhash_argon2i_OPSLIMIT_MAX;
 }
 
 size_t
 crypto_pwhash_argon2i_memlimit_min(void)
 {
+    COMPILER_ASSERT((crypto_pwhash_argon2i_MEMLIMIT_MIN / 1024U) >= ARGON2_MIN_MEMORY);
     return crypto_pwhash_argon2i_MEMLIMIT_MIN;
 }
 
 size_t
 crypto_pwhash_argon2i_memlimit_max(void)
 {
+    COMPILER_ASSERT((crypto_pwhash_argon2i_MEMLIMIT_MAX / 1024U) <= ARGON2_MAX_MEMORY);
     return crypto_pwhash_argon2i_MEMLIMIT_MAX;
 }
 
@@ -128,20 +143,29 @@ crypto_pwhash_argon2i(unsigned char *const out, unsigned long long outlen,
                       unsigned long long opslimit, size_t memlimit, int alg)
 {
     memset(out, 0, outlen);
-    memlimit /= 1024U;
-    if (outlen > ARGON2_MAX_OUTLEN || passwdlen > ARGON2_MAX_PWD_LENGTH ||
-        opslimit > ARGON2_MAX_TIME || memlimit > ARGON2_MAX_MEMORY) {
+    if (outlen > crypto_pwhash_argon2i_BYTES_MAX) {
+        errno = EFBIG;
+        return -1;
+    }
+    if (outlen < crypto_pwhash_argon2i_BYTES_MIN) {
+        errno = EINVAL;
+        return -1;
+    }
+    if (passwdlen > crypto_pwhash_argon2i_PASSWD_MAX ||
+        opslimit > crypto_pwhash_argon2i_OPSLIMIT_MAX ||
+        memlimit > crypto_pwhash_argon2i_MEMLIMIT_MAX) {
         errno = EFBIG;
         return -1;
     }
-    if (outlen < ARGON2_MIN_OUTLEN || passwdlen < ARGON2_MIN_PWD_LENGTH ||
-        opslimit < ARGON2_MIN_TIME || memlimit < ARGON2_MIN_MEMORY) {
+    if (passwdlen < crypto_pwhash_argon2i_PASSWD_MIN ||
+        opslimit < crypto_pwhash_argon2i_OPSLIMIT_MIN ||
+        memlimit < crypto_pwhash_argon2i_MEMLIMIT_MIN) {
         errno = EINVAL;
         return -1;
     }
     switch (alg) {
     case crypto_pwhash_argon2i_ALG_ARGON2I13:
-        if (argon2i_hash_raw((uint32_t) opslimit, (uint32_t) memlimit,
+        if (argon2i_hash_raw((uint32_t) opslimit, (uint32_t) (memlimit / 1024U),
                              (uint32_t) 1U, passwd, (size_t) passwdlen, salt,
                              (size_t) crypto_pwhash_argon2i_SALTBYTES, out,
                              (size_t) outlen) != ARGON2_OK) {
@@ -163,19 +187,20 @@ crypto_pwhash_argon2i_str(char out[crypto_pwhash_argon2i_STRBYTES],
     unsigned char salt[crypto_pwhash_argon2i_SALTBYTES];
 
     memset(out, 0, crypto_pwhash_argon2i_STRBYTES);
-    memlimit /= 1024U;
-    if (passwdlen > ARGON2_MAX_PWD_LENGTH || opslimit > ARGON2_MAX_TIME ||
-        memlimit > ARGON2_MAX_MEMORY) {
+    if (passwdlen > crypto_pwhash_argon2i_PASSWD_MAX ||
+        opslimit > crypto_pwhash_argon2i_OPSLIMIT_MAX ||
+        memlimit > crypto_pwhash_argon2i_MEMLIMIT_MAX) {
         errno = EFBIG;
         return -1;
     }
-    if (passwdlen < ARGON2_MIN_PWD_LENGTH || opslimit < ARGON2_MIN_TIME ||
-        memlimit < ARGON2_MIN_MEMORY) {
+    if (passwdlen < crypto_pwhash_argon2i_PASSWD_MIN ||
+        opslimit < crypto_pwhash_argon2i_OPSLIMIT_MIN ||
+        memlimit < crypto_pwhash_argon2i_MEMLIMIT_MIN) {
         errno = EINVAL;
         return -1;
     }
     randombytes_buf(salt, sizeof salt);
-    if (argon2i_hash_encoded((uint32_t) opslimit, (uint32_t) memlimit,
+    if (argon2i_hash_encoded((uint32_t) opslimit, (uint32_t) (memlimit / 1024U),
                              (uint32_t) 1U, passwd, (size_t) passwdlen, salt,
                              sizeof salt, STR_HASHBYTES, out,
                              crypto_pwhash_argon2i_STRBYTES) != ARGON2_OK) {
@@ -191,12 +216,12 @@ crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES],
 {
     int verify_ret;
 
-    if (passwdlen > ARGON2_MAX_PWD_LENGTH) {
+    if (passwdlen > crypto_pwhash_argon2i_PASSWD_MAX) {
         errno = EFBIG;
         return -1;
     }
     /* LCOV_EXCL_START */
-    if (passwdlen < ARGON2_MIN_PWD_LENGTH) {
+    if (passwdlen < crypto_pwhash_argon2i_PASSWD_MIN) {
         errno = EINVAL;
         return -1;
     }
@@ -211,3 +236,55 @@ crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES],
     }
     return -1;
 }
+
+static int
+_needs_rehash(const char *str, unsigned long long opslimit, size_t memlimit,
+              argon2_type type)
+{
+    unsigned char  *fodder;
+    argon2_context  ctx;
+    size_t          fodder_len;
+    int             ret = -1;
+
+    fodder_len = strlen(str);
+    memlimit /= 1024U;
+    if (opslimit > UINT32_MAX || memlimit > UINT32_MAX ||
+        fodder_len >= crypto_pwhash_STRBYTES) {
+        errno = EINVAL;
+        return -1;
+    }
+    memset(&ctx, 0, sizeof ctx);
+    if ((fodder = (unsigned char *) calloc(fodder_len, 1U)) == NULL) {
+        return -1; /* LCOV_EXCL_LINE */
+    }
+    ctx.out    = ctx.pwd       = ctx.salt    = fodder;
+    ctx.outlen = ctx.pwdlen    = ctx.saltlen = (uint32_t) fodder_len;
+    ctx.ad     = ctx.secret    = NULL;
+    ctx.adlen  = ctx.secretlen = 0U;
+    if (decode_string(&ctx, str, type) != 0) {
+        errno = EINVAL;
+        ret = -1;
+    } else if (ctx.t_cost != (uint32_t) opslimit ||
+               ctx.m_cost != (uint32_t) memlimit) {
+        ret = 1;
+    } else {
+        ret = 0;
+    }
+    free(fodder);
+
+    return ret;
+}
+
+int
+crypto_pwhash_argon2i_str_needs_rehash(const char str[crypto_pwhash_argon2i_STRBYTES],
+                                       unsigned long long opslimit, size_t memlimit)
+{
+    return _needs_rehash(str, opslimit, memlimit, Argon2_i);
+}
+
+int
+crypto_pwhash_argon2id_str_needs_rehash(const char str[crypto_pwhash_argon2id_STRBYTES],
+                                        unsigned long long opslimit, size_t memlimit)
+{
+    return _needs_rehash(str, opslimit, memlimit, Argon2_id);
+}